04-19-2010 03:24 AM - edited 03-10-2019 05:04 PM
Hi,
I have some Nexus switches deployed in my network. They are authenticating user access via TACACS/ACS (4.2). I would like to get the user role part working as currently any users logging in get defaulted to a network-operator role so doen't have full configuration ability. Reading the Nexus guide I see that this is achieved by somehow using, the following cisco vsa :
shell:roles=“network-operator vdc-admin”
Can anyone help me to understand specifically how to get this configured. I guess that on the ACS somewhere I need to return this attribute for a user. However I can't see where its configured. I have been through the ACS admin guide but its not clear to me.
Many Thanks
RK
Solved! Go to Solution.
04-19-2010 09:32 AM
You can configure this attribute per user or per group.
First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".
Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.
Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.
ie:
shell:roles*"network-admin"
04-19-2010 09:32 AM
You can configure this attribute per user or per group.
First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".
Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.
Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.
ie:
shell:roles*"network-admin"
04-20-2010 03:32 AM
Hi Javier,
That worked perfectly.
Thanks very much
RK
04-26-2010 11:44 PM
Hi Javier
I've the same problem. I configured everything as you recommended in your posting, but i still end up in the deault role "network-operator"
ACS 4.2 Configuration:
user config
shell exec (enabled)
shell:roles*"network-admin"
After Login - the output of the command "show user-account" says:
user:ude3964
roles:network-operator
account created through REMOTE authentication
AAA Configuration:
rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+
tacacs-server timeout 3
tacacs-server host 172.28.193.34 key 7 "wg$yscmfv1"
tacacs-server host 172.28.193.35 key 7 "wg$yscmfv1"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501
In the debug aaa all - there is not much to see. NX-OS in this case is not as good as IOS.
In the ACS passed Authentication Report everything looks fine.
Do you have any idea how to go further?
Cheers
Patrick
06-10-2010 06:15 AM
We are using both IOS en NX-OS switches. The av-pair used for IOS = shell:priv-lvl-15 and for NX-OS shell:role*"network-admin" After configuring ;
" cisco av-pair = shell:priv-lvl-15 shell:role*"network-admin" " I can login on de IOS switch in enable mode en only network-operator mode on the NX-OS.
After configuring; "cisco av-pair =shell:role*"network-admin" shell:priv-lvl-15 " only NX-OS as network-admin and IOS in exec mode
Do you have any idea how to configure the correct config for av-pair for NX-OS and IOS switches
06-10-2010 06:24 AM
Can you capture the traffic between the TACACS+ server and the switches and post it here, so we can see what is actually being sent?
You will want to capture both instances, ie, when NX-OS works right and when IOS works right.
06-11-2010 11:21 AM
Try removing:
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
I believe with Nexus you can only do rbac OR command authorization not both.
11-18-2010 05:50 AM
Does anybody know if this can be done in ACS 5.1 as I am looking for TACACS+ VSA options to do this, but all I can find is RADIUS VSA options to be configured?
11-18-2010 05:55 AM
You can send custom AV pairs with ACS 5.1, by creating a custom shell profile under policy elements, then you would tie this shell profile to an authorization policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide